sb-eu logo
Story image

VPNFilter malware enslaving home networking devices worldwide

25 May 2018

A malware called VPNFilter is quickly becoming the security emergency of the year as the number of infections rises – with few ways to defend against it.

At least 500,000 devices in 54 countries are thought to be infected by the malware. According to Cisco Talos, the malware may be the work of a state-sponsored or state-affiliated threat actor.

So far the Ukraine is one of the most heavily infected countries. Researchers note that the multi-stage VPNFilter uses code similar to BlackEnergy, a malware that was responsible for many large-scale attacks against devices in in the Ukraine.

“The news out today from Cisco about a massive breach of routers and storage devices – including notable infections in Ukraine – shows that hackers continue to attempt to penetrate the Information Technology (IT)/Operational Technology (OT) barrier,” comments Forcepoint CTO of global governments and critical infrastructure, George Kamis.

Although researchers admit they don’t have all the answers – of all the questions – they say the scale and capability of the operation are both ‘concerning’.

“The behaviour of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols. Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide,” researchers explain.

Known affected devices so far include Linksys, MikroTik, NETGEAR, TP-Link, and QNAP – but Cisco’s research is ongoing and more devices may soon be added to the list.

Large enterprise-grade routers, Cisco routers and switches, and other devices from other enterprise vendors are not affected by the malware so far.

"Businesses and consumers alike are often not aware that their devices are susceptible to vulnerabilities already being targeting in the wild, and even when they are aware, many IoT devices are difficult to update and security configure at best.  Compromising these devices can lead to further network attacks, data and communication theft and like in the case of VPNFilter – being recruited as a weapon in a huge botnet, awaiting the next command," comments Webroot director of threat research David Kennerley.

Cisco Talos researchers add that the targeted devices are also difficult to protect.

 “The majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers.”

“This challenge is augmented by the fact that most of the affected devices have publicly known vulnerabilities which are not convenient for the average user to patch. Additionally, most have no built-in anti-malware capabilities. These three facts together make this threat extremely hard to counter, resulting in extremely limited opportunities to interdict malware, remove vulnerabilities, or block threats.”

Sophos senior technologist Paul Ducklin adds, "It's time for a router health check.”

"Home devices like routers are popular targets for cybercrooks these days, yet they're often neglected from a cybersecurity point of view. Start with the basics. Check for a firmware update with your router vendor - do it today! And pick proper passwords - the crooks know every default password that ever left the factory, so why make it easy for them?"

 Security firm Symantec adds that owners of infected devices should reboot their devices immediately.

“If the device is infected with VPNFilter, rebooting will remove Stage 2 and any Stage 3 elements present on the device. This will (temporarily at least) remove the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers.”

“You should then apply the latest available patches to affected devices and ensure that none use default credentials.”]

Affected devices include:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN

Cisco Talos researchers also offer the following recommendations:

  • Users of SOHO routers and/or NAS devices reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware.
  • Internet service providers that provide SOHO routers to their users reboot the routers on their customers' behalf.
  • If you have any of the devices known or suspected to be affected by this threat, it is extremely important that you work with the manufacturer to ensure that your device is up to date with the latest patch versions. If not, you should apply the updated patches immediately.
  • ISPs work aggressively with their customers to ensure their devices are patched to the most recent firmware/software versions.
Story image
The guide to digital security in unstable times
An increase in vulnerability across different sectors has meant that 2020 has seen more than its fair share of cybersecurity incidents. One of the most effective ways to combat the perils of today’s cyber-threats is to gain a better knowledge of the threat vectors looming over the heads of organisations. More
Story image
Gartner predicts 75% of CEOs to be liable for cyber-physical security incidents by 2024
The nature of CPSs means incidents can quickly lead to physical harm to people, destruction of property or environmental disasters – and Gartner’s new research indicates that these incidents will increase drastically in the next few years if the lack of spending on these assets continues.More
Story image
Jamf extends Microsoft collaboration with iOS Device Compliance
Organisations will soon be able to use Jamf for Apple ecosystem management while using Azure Active Directory and Microsoft Endpoint manager to maintain conditional access.More
Story image
Kaspersky finds red tape biggest barrier against cybersecurity initiatives
The most common obstacles that inhibit or delay the implementation of industrial cybersecurity projects include the inability to stop production (34%), and bureaucratic steps, such as a lengthy approval process (31%) and having too many decision-makers (23%). More
Story image
Check Point acquires Odo Security to bolster remote security offering
The deal will integrate Odo’s remote access software with Check Point’s Inifinity architecture, bolstering the latter company’s remote security capabilities in a time where working and learning from home has become the norm, and looks to largely remain that way in the near future.More
Story image
McAfee finds vulnerabilities in 'temi' the videoconferencing robot
Temi is commonly used in environments including businesses, healthcare, retail, hospitality, and other environments including the home.More